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1. (Currently Amended) A method for automatically creating a record for one or more 
computer security incidents and reactions thereto, comprising the steps of: 

recording computer security incident information with at least one of a date and time 
stamp, the computer security incident information indicating one of suspicious computer activity 
comprising one or more v i olations attacks received from a network computer[[ ? ]] that eeews 
occur prior to a computer security threat and an actual computer security threat; 
classifying the computer security incident information; 

automatically suggesting a r^mnuter security threat procedure based on a 
classification of the computer security incident information; 

providing data to enable display of the computer secu rity threat procedure comprising 
one or more steps for one of investigating and responding to the computer security incident 
information; 

receiving a selection of one or more steps nf a computer security threat procedure; 

executing the selected one or more steps of the computer security threat procedure; 

in response to executing the one or more steps of the selected computer security threat 
procedure, recording executed computer security threat procedure information and results of the 
executed one or more steps of the computer security threat procedure with at least one of a date 
and time stamp; and 

outputting a record comprising the computer security incident information, executed 
computer security threat procedure information, results of one or more steps of the executed 
computer security threat procedure, an identity of a user who selected the computer security 
threat procedure, and at least one of a corresponding date stamp and time stamp. 

2. (Original) The method of Claim 1, wherein the record comprises an unmodifiable, 
permanent database. 

3. (Currently Amended) The method of Claim 1, further comprising the step of 
recording the results of the executed computer security threat procedure with a digital signature 
to enable detection of any modification of the recorded results, whereby integrity of the recorded 
results can be monitored. 
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4. (Currently Amended) Hie method of Claim 1, farther comprising the step of 
extracting information from the results of an executed computer security threat procedure. 

5. (Previously Amended) The method of Claim 4, further comprising the step of 
describing a computer security incident with said extraction informatiori. 

6. (Previously Amended) The method of Claim 1, further comprising the step of 
displaying information for a particular computer security incident to more than one user. 

7. (Original) The method of Claim 1, further comprising the step of prepopulatmg fields 
of a record of a first program module from a second program module. 

8. (Previously Amended) The method of Claim 1, further comprising the steps of : 
receiving computer security incident information from a first program module; 
processing the computer security incident information with a second program 

module; and 

forwarding the processed computer security incident information from the second 
program module to a third program module. 

9. (Currently Amended) The method of Claim 1, wherein the step of receiving a 
selection of a computer security threat procedure comprises automatically selecting a computer 
security threat procedure with a program module. 

10. (Cancelled) 

11. (Original) The method of Claim 1, wherein each step is performed automatically by 
a program module. 

12. (Original) The method of Claim 1, wherein some of the steps are performed 
automatically by a program module. 
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13. (Original) The method of Claim 1, further comprising the step of displaying reports 
comprising one or more computer security incidents. 

14. (Currently Amended) The method of Claim 1, wherein the results of an executed 
rnm pnter security threat procedure comprise at least one of text, numbers, images, or formatted 
documents. 

15. (Previously Amended) The method of Claim 1, further comprising the step of 
predicting future actions of a source of a computer security incident 

16. (Previously Amended) The method of Claim 1, further comprising the step of 
identifying the source of a computer security incident. 

17. (Previously Amended) The method of Claim 1, further comprising the step of 
sorting decoy or false computer security incidents from actual computer security incidents. 

18. (Currently Amended) The method of Claim 1, further comprising the step linking a 
first computer security threat procedure to a second computer se curity threat procedure. 

19. (Original) The method of Claim 1, further comprising the step of determining the 
authorization level of a user. 

20. (Currently Amended) The method of Claim 1, wherein the step providing data to 
enable display of a computer security threat procedure further comprises the step of providing 
data for enabling display of one or more steps of a computer security threat procedure. 
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21. (Currently Amended) The method of Claim 1, further comprising the steps of: 

providing data to enable display of a computer secu rity threat response procedure; 
executing the computer security threat response procedure; and 
in response to executing the response computer sec urity threat procedure, recording 
executed ^m pnter security threat response procedure information and results of the executed 
computer security threat response procedure with at least one of a date and time stamp. 

22. (Currently Amended) The method of Claim 1. further comprising the steps of: 

providing data to enable display of ([an]] a computer s ecurity threat investigation 

procedure; 

executing the computer security threat investigation procedure; and 
in response to executing the computer sec urity threat investigation procedure, 
recording executed computer security threat investigation procedure information and results of 
the executed computer security threat investigation procedure with at least one of a date and time 
stamp. 

23. (Currently Amended) The method of Claim 21, wherein the step of providing data 
to enable display of the computer security threat response procedure further comprises the step of 
providing data to enable display of one or more steps of the computer security threat response 
procedure. 

24. (Currently Amended) The method of Claim 1, further comprising the step of 
providing data to enable display of results of the executed computer s ecurity threat procedure. 

25. (Currently Amended) The method of Claim 23, further comprising the step of 
providing data to enable display of results of the executed computer security threat procedure. 
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26. (Currently Amended) The method of Claim 1, further comprising the steps of: 

identifying an appropriate computer to execute a step in the computer security 

threat investigation procedure; and 

identifying an appropriate computer to execute a step in the computer security 

threat response procedure. 

27. (Original) The method of Claim 26, further comprising the steps of: 

accessing a table comprising computer locations and step information; 
comparing a step to be executed with computer locations listed in the table; 
determining a match exists between the step to be executed and the computer 
locations; and 

if one or more matches exist, displaying the matching information or automatically 
selecting an appropriate location* 

28. (Previously Amended) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing an Internet address 
of a source of a computer security incident with the Internet address ranges of the table. 

29. (Original) The method of Claim 27, further comprising the step of providing data to 
enable display of an appropriate substitute computer location if a match does not exist. 

30. (Currently Amended) The method of Claim 27, further comprising the step of 
identifying an appropriate computer to execute a step in either an investigation or a computer 
security threat response procedure, wherein the computer is strategically located relative to a 
source of a computer security incident. 

31. (Currently Amended) The method of Claim 1, wherein each computer security 
threat procedure comprises one or more steps, the method further comprising the step of 
executing one or more program modules in response to a selection of a computer security threat 
procedure. 
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32. (Original) The method of Claim 31, wherein the one or more program modules 
comprise one or more software application programs that can operate as stand alone programs. 

33. (Original) The method of Claim 31, wherein at least one program module comprises 
an off-the-shelf software application program. 

34. (Previously Amended) The method of Claim 1, wherein the computer security 
incident information comprises predefined attributes. 

35. (Original) The method of Claim 34, wherein the predefined attributes comprise any 
one of a computer incident severity level, a computer incident category, a computer incident 
scope value, a computer incident status value, an attacker internet protocol (IP) address value, an 
attacker ISP name, an attacker country, an external attacker status value, an incident type vale, a 
vulnerabilities level, an entry point value, an attack profile value, a target networks value, a 
target firewalls value, a target hosts value, a target services value, a target accounts value, and a 
damage type value. 

36. (Previously Amended) The method of Claim 1 3 wherein the computer security 
incident information comprises attributes that are at least one of viable and computer-generated. 

37. (Previously Amended) The method of Claim 35, further comprising the step of 
determining whether a computer security incident comprises an actual breach in security based 
upon value of its attributes. 

38. (Currently Amended) The method of Claim U further comprising the steps of: 

receiving a selection for a step of a computer security threat procedure; and 
generating a pre-execution warning prior to the selection of a step. 
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39. (Currently Amended) The method of Claim 1 , further comprising the steps of: 

receiving a selection for a step nf a com puter security threat procedure; 
executing the selected step; and 

suggesting an appropriate subsequent step in the computer security threat 

procedure. 

40. (Currently Amended) The method of Claim 1, wherein each step is performed 
automatically in response to a detected computer comput e r security incident. 

41 . (Original) The method of Claim 1 , further comprising the steps of: 

providing data to enable display of a plurality of computer tools in a non-procedural 

manner; 

receiving a selection for a computer tool; and 
executing the selected computer tool. 



[The Remainder of this Page has been intentionally left blank*] 
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42. (Currently Amended) A method for organizing and recording reactions to one or 
more computer security incidents, comprising the steps of: 

classifying the computer security incident information; 

automatically suggesting one or more computer security threat investigation 
procedures based on a classification of the computer security incident information; 

providing data to enable display of the one or more computer security threat 
investigation procedures for investigating one of suspicious computer activity that occurs occur 
prior to a computer security threat and an actual computer security threat; 

providing data to enable display of one or more computer security threat response 
procedures for responding to one of suspicious computer activity comprising one or more 
violation s attacks received from a network computer[[,]] that occurs occur prior to a computer 
security threat and an actual computer security threat; 

in response to a selection of a computer security threat investigation procedure, 
providing data to enable display of one or more corresponding investigation steps; 

in response to a selection of a computer security threat response procedure, 
providing data to enable display of one or more corresponding response steps; and 

generating a permanent record comprising computer security incident information, 
executed investigation step and result information, executed response step and result 
information, and corresponding date and time stamps. 

43. (Currently Amended) The method of Claim 42, further comprising the step of 
recording executed investigation step information and results of the executed investigation step 
with at least one of a date and time stamp in response to a selection of a step of [[an]] computer 
security threat investigation procedure. 

44. (Currently Amended) The method of Claim 42, further comprising the step of 
recording executed response step information and results of the executed response step with at 
least one of a date and time stamp in response to a selection of a step of a computer security 
threat response procedure. 
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45- (Currently Amended) The method of Claim 42, further comprising the steps of; 

providing data to enable display of a plurality of computer security threat 

procedures; 

in response to receiving a selection of a computer security threat procedure, 
displaying a plurality of steps; 

obtaining modification information for the selected computer security threat 
procedure; and 

storing the modification information. 

46. (Currently Amended) The method of Claim 42, further comprising the step of at 
least one of adding or deleting a step in a computer security threat procedure, 

47. (Currently Amended) The method of Claim 42, further comprising the steps of: 
providing data to enable display of a plurality of steps of a computer security threat 

procedure; 

in response to selection of a step, providing data to enable display of detailed 
information fields related to the selected step; 

obtaining modification information for the selected step; and 
storing the modification information. 

48. (Currently Amended) The method of Claim 42, further comprising the step of at 
least one of adding, deleting, or modifying a step in a computer security threat procedure. 

49. (Original) The method of Claim 42, further comprising the steps of: 

obtaining computer security incident search information; and 
providing data to enable display of one or more computer security incidents 
matching the computer security incident search information. 
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50. (Original) The method of Claim 42, further comprising the steps of: 

tracking multiple computer security incidents; and 

storing information for each computer security in accordance with at least one of 
date and time stamp. 

51. (Currently Amended) A method for selecting a computer that is strategically located 
relative to a source of a computer security incident, comprising the steps of: 

accessing a table comprising computer locations, Internet address ranges associated 
with the computer locations, and computer security step information associated with the 
computer locations, the computer security step information for one of investigating and 
responding to one of suspicious computer activity comprising one or more violations attacks 
received from a network computer[[,]] that eeeufs occur prior to a computer security threat and 
an actual computer security threat, the computer locations identifying devices that are able to 
perform the computer security step information; 

comparing a computer security step to be executed and a target Internet address 
with computer locations and Internet address ranges listed in the table; 

determining if a match exists between an Internet address of a computer security 
incident and the Internet address ranges listed in the table; and 

automatically selecting a computer to execute the computer security step based 
upon the matching steps step, wherein the computer has a location and is capable of interacting 
with the Internet address of the computer security incident. 

52. (Original) The method of Claim 51, further comprising the step of: 

if one or more matches exist, providing data to enable display of the matching 

information; 

if a match does not exist, providing data to enable display of one or more 
appropriate substitute computer locations or automatically selecting an appropriate location. 

53. (Currently Amended) The method of Claim 51, wherein the computer s ecurity step 
comprises a portion of a computer security threat response procedure, wherein the computer is 
strategically located relative to a source of a computer security incident. 
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54. (Currently Amended) The method of Claim 51. wherein the computer security s tep 
comprises a portion of a computer security threat investigation procedure, wherein the computer 
is strategically located relative to a source of a computer security incident 

55. (Currently Amended) The method of Claim 51. wherein each computer security s tep 
to be executed in a computer security threat procedure comprises one or more off-the-shelf 
security application programs. 

56. (Currently Amended) A method for generating a permanent record of one of more 
computer security incidents and reactions thereto, comprising the steps of: 

receiving computer security incident information indicating one of suspicious 
computer activity comprising one or more violations attacks received from a network 
computer[[,]] that ooouro occur prior to a computer security threat and an actual computer 
security threat; 

classifying the computer security incident information; 

displaying one or more tools for one of investigating and responding to computer 
security incident information; 

automatically suggesting a tool based on a classification of the computer security 
incident information; 

receiving a selection of a tool; 

in response to a selection of a tool, forwarding data for execution of the tool; and 
forwarding data for generating a permanent record comprising computer security 
incident information, executed tool information, and corresponding date and time stamps. 

57. (Original) The method of Claim 56 f further comprising the step of displaying the 
tools as icons on a computer display. 

58. (Original) The method of Claim 56, further comprising the step of displaying a 
plurality of tools that are selectable from a menu. 
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59. (Original) The method of Claim 3 1 , further comprising the step of installing the one 
or more program modules within a single program on a server. 

60. (Original) The method of Claim 31, further comprising the step of installing the one 
or more program modules on a single server. 

61. (Original) The method of Claim 31, further comprising the step of installing the one 
or more program modules on a computer that is a target of a computer incident. 

62. (Original) The method of Claim 31, further comprising the step of installing the one 
or more computer modules on both a computer that is a target of a computer incident and a 
server. 

63. (Original) The method of Claim 27, wherein the table further comprises Internet 
address ranges, the method further comprising the step of comparing an Internet address of a 
computer subject to an attack or security breach with the Internet address ranges of the table, 

64. (Previously Amended) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing Internet address of 
a witness to a computer security incident with the Internet address ranges of the table, 

65. (Previously Amended) The method of Claim 27, wherein the table further comprises 
Internet address ranges, the method further comprising the step of comparing an Internet address 
of an accomplice to a computer security incident with the Internet address ranges of the table. 
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